Welcome to SuperSalon's Blog

• Utilizing a router with a firewall is generally the “first line of defense” in a local area network.
• Internet Modems rarely have any sort of protection on them, so a firewalled router is always recommended
• Keep as few ports forwarded as possible, except the required for the system to function.
• Be sure to change all default passwords on the modem and router. See “Passwords” section for password creation advice
• If you have a wireless router, be sure to create a wireless key that must be used to access the wireless connection.

• Use hosted solution like IP Charge that does not store data locally.
• We are currently studying the use of: http://www.verifone.com/industry-solutions/retail/payment-trends–security/verishield-protect.aspx

• VNC and other remote access software – Must use different password at each location. This can be a point of contention as customers want same password for ease of use.

• Windows operating should be set for updates to install automatically.

• Restrict access to the Internet for users. This is an excellent step to take to avoid spyware and viruses
• Restrict access to email on POS systems.
• Ensure users only have access to appropriate sections of the SuperSalon software via setup -> Permissions.

• Rogers is adding a “Kiosk Mode” feature that will force the computer to boot directly to SuperSalon and will not allow access to any other part of the computer.

This tool will make a password for you: http://www.pctools.com/guides/password/

The strongest passwords look like a random string of characters to attackers. But random strings of characters are hard to remember.

Make a random string of characters based on a sentence that is memorable to you but is difficult for others to guess.

• Think of a sentence that you will remember Example: “My son Aiden is three years old.”
• Turn your sentence into a password Use the first letter of each word of your memorable sentence to create a string, in this case: “msaityo”.
• Add complexity to your password or pass phrase Mix uppercase and lowercase letters and numbers. Introduce intentional misspellings. For example, in the sentence above, you might substitute the number 3 for the word “three”, so a password might be “MsAi3yo”.
• Substitute some special characters Use symbols that look like letters, combine words, or replace letters with numbers to make the password complex. Using these strategies, you might end up with the password “M$8ni3y0.”
• Test your new password with Password Checker Password Checker evaluates your password’s strength as you type.
• Keep your password a secret Treat your passwords with as much care as the information that they protect. For more information, see 5 tips to help keep your passwords secret.
• Change your password often

Qualities of strong passwords

Length

• Each character you add to your password increases the protection it provides.
• 8 or more characters are the minimum for a strong password; 14 characters or longer are ideal.
• The greater variety of characters that you have in your password, the harder it is to guess.
• An ideal password combines both length and different types of symbols.
• Use the entire keyboard.
• The easiest way to remember your passwords is to write them down.
• It is OK to write passwords down, but keep them secret so they remain secure and effective.

Password strategies to avoid

To avoid weak, easy-to-guess passwords:

• Avoid sequences or repeated characters“12345678,” “222222,” “abcdefg,” or adjacent letters on your keyboard do not make secure passwords.
• Avoid using only look-alike substitutions of numbers or symbolsCriminals will not be fooled by common look-alike replacements, such as to replace an ‘i’ with a ‘1′ or an ‘a’ with ‘@’ as in “M1cr0$0ft” or “P@ssw0rd”.These substitutions can be effective when combined with other measures, such as length, misspellings, or variations in case.
• Avoid your login nameDon’t use any part of your name, birthday, social security number, or similar information for your loved ones.This type of information is one of the first things criminals will try, and they can find it easily online from social networking sites, online resumes, and other public sources of data.
• Avoid dictionary words in any languageCriminals use sophisticated tools that can rapidly guess passwords that are based on words in multiple dictionaries, including words spelled backwards, common misspellings, profanity, and substitutions.
• Avoid using only one password for all your accountsIf your password is compromised on any one of the computers or online systems that use it, you should consider all of your other information protected by that password compromised as well.It is critical to use different passwords for different systems.
• Be careful with password recovery questionsMany Web sites offer a “password ” service that lets you provide the answer to a secret question. If you forget your password, the service will send it to you if you can remember the answer to your secret question.The questions are often random, but sometimes the answers to these questions are freely available on the Web. Choose your questions carefully or make up the answers.
• Avoid using online storage If criminals find your passwords stored online or on a networked computer, they have access to all your information.

The core of the PCI DSS is a group of principles and accompanying requirements, around which the specific elements of the DSS are organized:

Build and Maintain a Secure Network

• Requirement 1: Install and maintain a firewall configuration to protect cardholder data

• Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters

Protect Cardholder Data

• Requirement 3: Protect stored cardholder data

• Requirement 4: Encrypt transmission of cardholder data across open, public networks

Maintain a Vulnerability Management Program

• Requirement 5: Use and regularly update anti-virus software

• Requirement 6: Develop and maintain secure systems and applications

Implement Strong Access Control Measures

• Requirement 7: Restrict access to cardholder data by business need-to-know

• Requirement 8: Assign a unique ID to each person with computer access

• Requirement 9: Restrict physical access to cardholder data

Regularly Monitor and Test Networks

• Requirement 10: Track and monitor all access to network resources and cardholder data

• Requirement 11: Regularly test security systems and processes

Maintain an Information Security Policy

• Requirement 12: Maintain a policy that addresses information security

• For more information on PCI compliance we recommend you read the information on the following web site: http://www.pcicomplianceguide.org/merchants.php
• http://www.wired.com/threatlevel/2009/11/pos
• http://www2.nbc4i.com/cmh/news/crime/article/credit_card_information_stolen_from_downtown_restaurant/27276/
• http://www.computerworld.com/s/article/9141746/Ending_the_PCI_Blame_Game?taxonomyId=145&pageNumber=3
• http://www.intelli-collect.com/cblog/index.php?/archives/165-PCI-Compliance-and-the-PCI-Compliance-Fee-Security-Has-a-Price.html